AOL hit by massive data breach
April 29, 2014 // 9:21 a.m.
Internet pioneer AOL has warned of a major breach that has affected a significant number of users, leaking email and postal addresses, contact information and password details to attackers unknown.
AOL launched in 1983 as the Control Video Corporation and produced a short-lived modem-based gaming download service for the Atari 2600 dubbed GameLine. The precursor to Valve's Steam and similar digital distribution systems, GameLine was not a financial success; the company had better luck with the Link series of online portals for the Commodore 64, Apple II and Macintosh, and IBM compatibles. In 1989, America Online was born as a walled-garden internet service which included chat, email and several games - including the first-ever web-based interactive fiction series and the first automated play-by-email game.
While internet-savvy consumers soon dropped AOL's walled-garden system for more open services from generic internet service providers, the company still boasts a considerable client base. Despite an ongoing slide in customers, the company boasts a near three-million user count in the US alone - and it's these customers who have been exposed in a serious security breach.
'We have determined that there was unauthorised access to information regarding a significant number of user accounts,' the company admitted late last night, following an investigation into spam messages sent from registered AOL accounts. 'This information included AOL users' email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions that we ask when a user resets his or her password, as well as certain employee information. We believe that spammers have used this contact information to send spoofed emails that appeared to come from roughly two per cent of our email accounts.'
The company has not confirmed the nature of the 'encryption' used to store the passwords - which should, by industry best practice, be a salted one-way hash function, rather than reversible encryption - but does claim that it has 'no indication' that said encryption was broken; this despite the attackers gaining full access to the accounts from which spam is issuing, an indication that they have indeed been able to retrieve at least some passwords from the corpus.
Users affected by the breach - and, at this point, it looks to cover anyone with an AOL email address, active or otherwise - is advised to reset their password and change their security questions; if the same password is used anywhere else, that should be changed too.